The SafetyNet API is the bane of root and custom ROM users everywhere. For those unfamiliar, it is part of the Google Play Services API that is designed to detect modified devices. If your system is tampered with in any way, be it rooted or a custom ROM, the SafetyNet check will fail. Android Pay, among other applications, uses this API and will fail to run if SafetyNet fails.

Reports are coming in from Reddit and our own tip box that SafetyNet appears to fail on some bootloader-unlocked devices, even if the device has not been modified in any other way. Devices confirmed to have issues include the Nexus 6P, OnePlus 3, and Nexus 6. Android Pay fails to add cards and process transactions on said devices.

Now before you get your pitchforks out, this may actually be a bug. Reports started coming in last night from Reddit, but newer comments claim the change has been reversed after waiting or rebooting their device. We reached out to Google for comment, but have not yet received a response.

Seems like Google's really dropping the hammer on root users. It's a shame. I had to give up my unlimited data with Verizon because on Nougat I could no longer edit my build.prop for tethering and use Android Pay at the same time.

Eli McCrory

I'm on Verizon and kept my UDP. You can still edit the build.prop and use Android Pay

Not carrying a wallet would be ideal, but I'm too invested in root and Xposed. App Settings alone makes it worth giving up Android Pay.

...then again, my bank doesn't support it and my grandfathered card expired a few days ago, so it's not like I could use the damn thing even if I went back to stock.

demarcmj

I don't live in a city so I have to drive everywhere... which means I need my license... which means I need my wallet. :-/

Cory S

Or, sometimes I like to get a drink...and I need my wallet. Bars also dont take mobile payments. I also need to be able to get into my office which another access card incompatible with NFC I need to carry.

I really dont get the point of mobile payments. It's fun, but not really practical. S-Pay comes closet to being useful, but I am still no where near at the point where I could leave my credit cards at home, let alone my wallet...so whats the point.

demarcmj

This is why I'm not too concerned about not being able to use it. My concern is mostly for the future, if other apps (one's that I may potentially be interested in) start to use SafetyNet.

The way SafetyNet is very complicated involving numerous server sided checks. Good luck with making an Xposed module for that

b0b

Theorically, any anti-tamper measure can be defeated, although as you mention, it can be complicated.

Amit_N

and Google will roll out an updated Google Services with new detection method along with another battery draining bug!

My1

but if xposed or whatever would just stay between and instead of letting the safetynet do its checks it just answers "it's fine" or whatever, wouldnt that be possible.

Vratislav Jindra

Just use suhide.

JLV90

I think the latest SafetyNet API update kills suhide.

Civicsr2cool

did you bother to read this article? safetynet now checks bootloader, meaning fully unrooted you cant even pass it now.

cmbeid

Im getting an error too. Not sure if running custom kernel would cause it to fail though...

demarcmj

Pretty sure running a custom kernel already caused it to fail before this.

cmbeid

Well, I would much rather have a custom kernel and a usable Nexus 6 than stock kernel+working Android Pay and a phone that lags after 50% battery used up. Shame that it doesn't work though.

demarcmj

I agree. Custom kernel is more important to me that Android Pay. And even if it could be hidden like root can be, it's not worth the hassle to me. At least now the "is it worth the hassle" question goes away since it seems you wont be able to use it at all if you are unlocked.

NYZack

I have Franco kernel on my Nexus 6, and, until recently, as long as I wasn't rooted, I passed all Safetynet checks and was able to use Android Pay. With the latest developments, Safetynet apps show that I fail, but I can still use Android Pay.

JT3

I only unlocked my bootloader to allow me to flash system images. I wouldn't mind locking it again, but doing so would wipe my 6P. This is pretty lame to do this to non-rooted phones, without warning, when we have no non-destructive means to resolve the issue.

demarcmj

That's why they have OTAs. You don't *need* to flash system images. You can sideload the OTAs.

JT3

That's fine and all, but when I got my 6P, Google didn't officially release OTA versions like they do now. That's why I wouldn't mind locking it now. Once upon a time, your device was only wiped when UNlocking your bootloader. Now it wipes in both directions, which is stupid.

demarcmj

I agree... that is stupid.

cbstryker

I don't think locking it wipes anything. Only unlocking it. But don't hold me to that.

cadtek91

I agree with you.

Michael Coates

Pretty certain even locking wipes these days. Worth looking into in more detail I think!

Another advantage is for making Nandroid backups with temporarily booted TWRP. Since you're not flashing a custom recovery, OTAs still work plus you're able to restore your phone should something go wrong. That's part of the reason I keep my bootloader unlocked even though I don't always root my Nexus 6 anymore.

blindexecutioner

I guess I don't care much as I see limited usefulness in Android Pay. However, if Google continues dicking root users like this and locking everything down I have no problem whatsoever trying out a different OS that also locks users down. A lot of people seem to be happy on that side of the pond but the openness with Android has kept me here.

Lucas de Eiroz ™

I use custom ROMs and root in every device I have. But I understand why Android Pay needs that security check, so I don't care about it. Would be totally different if they lock some other no-important service like Snapchat did.

Eastern37

I'm hoping that no other apps do what Snapchat have done. It's annoying having unroot and then re root just to get snapchat to work on custom Roms currently,

Nayan Waghmare

Android pay does work if you have rootcloack on your device and you know how to set it up. I did this some time ago and as far as I know it does work.

As for snapchat you just need to uninstall xposed framework and then log into snapchat, possibly use rootcloack on this too, and once logged in, go to recovery and reinstall the framework.

yeah oook... thats why i am using snapchat on my rooted phone which also has xposed framework on it. cool.

Civicsr2cool

Cool story. I'm also running Snapchat with root and xposed, doesn't mean you installed it in that configuration did you.

prajwal nagabushan

As for Snapchat. Just install apk from 8 months ago. Login. Update it from.playstore. Simple as that.
Hahah

JRomeo

I dont have a ROM, im not rooted, and bootloader still locked on my Pixel XL. and I still get the error with Android Pay, and still cannot add my debit cards :-(

4ui812

Bring on tizen.

Leo

Candy Crush != user happiness

zebinadams

It's not strictly true that a custom rom will automatically fail SafetyNet. So long as you remove root, it should still pass. If the issue with unlocked bootloaders isn't just a bug, that could change, but as of right now, you're perfectly able to pass SafetyNet while using a custom rom.
I've been running CM13 and haven't had any issues with Android Pay or Pokemon Go since unrooting.

demarcmj

But this article is about the unlocked bootloader part of things...

zebinadams

I know, I just wanted to point out that the third sentence isn't 100% accurate. It's a misconception that I've seen multiple people have about SafetyNet, myself included until after doing some additional research of my own.

It's not actually true that having an unlocked bootloader is what's triggering it according to what's appeared in the last few hours - it's whether the verified boot is green, orange or red. Green is OK, others will fail the test.

And how do you get orange or red? Custom kernel.

demarcmj

Having an unlocked bootloader *was* triggering it. As the article says, more recent reports are seeming to indicate that this might have been fixed though.

My bootloader is unlocked (purely to allow system images, otherwise, no changes), and it still fails in "SafetyNet Player." I'm not sure if it would actually fail in AP or not, but I'm guessing it would.

Wikiwix

You could rethink this for security (safety? I can never tell the difference..) reasons, at least if you have a Nexus, as Google provides full OTAs on the site as well, so you can flash "factory images" without compromising device security.

JT3

Well, yeah... now. When I originally unlocked my 6P, Google didn't provide OTAs like they do now, and locking the bootloader wipes the device. I'd be happy to relock my bootloader if I didn't have to wipe my device, or if Android had a real backup solution. 7.1's backup is supposed to actually work. Why couldn't they have held off on this little change until then, at least?!?

Wikiwix

I see, probably the only reason not to close it again, I can agree with.
I forgot that locking clears data too nowadays...

andy_o

Unlocking bootloader gets you orange.

J. Oliver

I had a fully stock load, but only unlocked BL and it fails 95% of the time. For some reason it will pass every 1-2min for a few seconds followed by failure.

JT3

How exactly does Android Pay fail when SafetyNet is tripped? Does it fail to load, or only fail to approve a transaction? SafetyNet Playground says I fail, but AP still opens, and I can see all my cards.

I don't agree with this. Nobody is forcing you to use Android Pay. Google has deals with the CC companies that depend on this security as they are the ones who have to pay out in the event of fraud. As much as I love modding, I get it. An device with an unlocked bootloader is significantly less secure.

Aaron Segaert

I don't care about Google Pay, this goes beyond that. But to your point, having an unlocked bootloader alone is no more insecure than carrying a physical credit card. Actually, carrying a credit card is much more insecure than having a phone with Android Pay and an unlocked bootloader. This is a red herring, an excuse to lock down your phone in Google's interest and not the customer's.

Sk0ly

I agree with some of this but not all.

Yes, a phone with an unlocked bootloader is more secure than a physical credit card. Hell almost anything is more secure than that. The point of pay by phone solutions like Android and Apple Pay is to provide a more secure method. Here in Canada, tap to pay is everywhere and I am actually blown away the credit card companies let it fly with the current implementation as there is no pin requirement and the only security is a spend limit.

Google couldn't give a crap about locking down your phone. What interest would they have in that? The only reason they would want to lock down your phone is for enterprise customers but for the general publics phone's they never have and still don't give a crap about what you do in terms of custom roms, kernels, radios, etc.

My guess is the way Google and Apple are selling their payment solutions to these credit card companies is with security and less payouts in the form of fraud for the credit card companies. If you think about it, what other incentive would Visa, Mastercard, Amex, etc. have to support Google and Apples platforms.

uhh

Google is not trying to lock you down... Any phone that is rooted and has a custom bootloader is insecure... You can easily go in to twrp, delete the password/PIN unlock file, then turn the phone back on, set up your own PIN and run Android pay... It makes perfect sense for Google to want to block root users from android pay... They aren't locking anyone down, nexus and pixel devices still come with unlocked bootloaders... Calm down...

Aaron Segaert

You can't even read temperature sensors on your device on Nougat without root. Make no mistake, Android is getting locked down and will become just as useless for enthusiasts as iOS. Don't be complacent is all I'm saying. Again, first it's Android pay, then it's Pokemon Go, then it's all kinds of other things.

Gautham Sivakumar

What? I don't think you know what you're talking about. People don't use "custom bootloaders". What you are referring to is a "custom recovery". Two completely different things. Google is targeting unlocked bootloaders. Therefore, any nexus device or pixe device with an unlocked bootloader can't use Android Pay. And for the record, they don't come with unlocked bootloaders...they just have the ability to be easily unlocked.

I don't really need root now days, but I'm really frustrated that I cannot add Cerberus as a system APP. I have this brand new s7 edge and I feel naked walking around with it without cerberus installed as system app. Google's and Samsung security features pales in compairson with cerberus :(

Sk0ly

Why not just use ADM? It isn't quite as full featured but does 90% of what Cerberus does. Plus, with secure boot, phone theft isn't as lucrative as it used to be.

Lamm

I'm using it. But afaik adm cannot not suvive a factory reset.

Sk0ly

This is true. I see what you are saying. For me, I am more concerned about my data than the phone itself. Also, with secure boot, it is not as lucrative for them to steal phones anymore unless they are an expert and can use ADB since wiping it still makes it useless without the last known google account. They should really tie secure boot into ADM

me me

Sorry but I need root more than I need AP. Time wasted on phone slowed down by ads which I can reduce with root is far more time saved than grabbing a piece of plastic.

operator207

I was telling my SO the other day, "If I could get AdAway on a non-rooted phone I would not need root." I have gotten to the point that AdA is the only thing I could not live without. I have tried others (that do not require root), none are better.
Ya, I have a few tweaks (reboot in menu, network activity, circle and number for battery all via GravityBox) but I would be fine dropping those if I could keep AdA features and get the rest of the apps that don't like root/xposed.

Will AdAway still be able to update its ad database/the app itself with this method? Because if so, you're my hero.

Ionut Lala

I used to be able to play Pokemon Go on my Nexus 5 with a CM14/Nougat ROM, but it stopped working. I hope this is the problem and it gets fixed soon.

Ionut Lala

(after deleting the su binaries)

Michael Tran

Any update on this?

nxtiak

Pixel XL here with latest version of Android 7.1.1, unlocked bootloader is all I've done and Android Pay doesn't work :(

DWXDX

if this isn't a bug then I blame Google for not giving a advanced Notice(like the months notice for shutting down the Wallet Card program), which you usually do if it'll affect a wide demographic. They should fix this quickly and NOT wait for a Security patch like they did with the Nexus 6 7.0 upgrade.

Civicsr2cool

Google is really messing up android. If we have to choose between two locked down OS's, IOS wins everytime..

Matt Booth

No.

Nick

This is still an issue reboot/waiting doesn't fix anything.

D_fens

Just worked for me ten seconds ago on a vending machine. My unlocked 6p hadn't worked for days.

Nick

Mine is still failing SafetyNet, rooted stock, 7.1.1 6p as well. do you have the latest play services?

D_fens

It's back to not working when I tried today. :(

JRomeo

Not working for me either on the Pixel XL, and this one is totally unaltered, unmodified, no root, and bootloader is not unlocked. any suggestions for me on how i could fix it?

If not try contacting google, be ready to send them a bug report. (either way you'll have to contact them)

JRomeo

it Does fail safetynet, but how is it possible for it to fail safetynet if this phone came straight out of the box, with no alterations? I submitted my bug report to google but i wish i could just fix this today instead of waiting for a bug report.... How long does a bug report take before they fix your issue anyways?

Vasu Chari

This is Brilliant. Google is shipping the Pixel phones with the BootLoader Unlocked (confirmed with Support). AndroidPay will not work with unlocked BootLoader.
So, a Google app will not work on a Google device with a Google OS and Google's default setting!

iFeign

You're wrong. The Pixel bootloaders are unlockable, but they're locked by default. You have to enable OEM unlocking in developer settings, then run the appropriate fastboot command.

Vasu Chari

My Pixel came with the BootLoader UNLocked. It displayed the warning when I first turned it on. I'm trying to figure out how to re-lock it so I can use AndroidPay.

iFeign

Boot into fastboot and run:
fastboot oem lock

Vasu Chari

sure. Should Google put its customers in a position that they have to do all this to be able to run their app on their OS on their h/w ?
I just installed Android Studio/SDK. looks like it's "fastboot flash lock"

iFeign

I agree, it's terrible UX, as per usual with Google products. I can't imagine the average user using fastboot.

I'm actually OK with leaving my bootloader locked at this point. The only reason I unlocked it a year ago was for the ability to dirty-flash from factory images rather than waiting for OTAs to show up. But now that they post those, it's not necessary for me.

The only problem is that locking the bootloader of a Nexus 6P will wipe your device. That's the most annoying part of all of this.

I HATE SafetyNet. I'm having the same problem on my 100% Stock Nexus 5X. I just re-pushed the factory image out to it, and it still fails the SafetyNet check. Not allowing root users to use Android Pay is 100% bogus. PCs are rooted devices, but we can do financial transactions with our banks on those. Google and the banks are full of s*!t on this issue. I'm really fed up. I keep my bootloader unlocked so I can root/unroot my device at will, so I can actually use Android Pay. Now I can't even do that. I first noticed the problem about 2 weeks ago.

chriv

FYI, I just called Nexus device support on this issue, and they were completely unable to help. That actually sent me to the (completely unrelated) Google Cloud Platform site, and had me click the "Send Feedback" link to request help (not support, but website feedback). Did I mention that I HATE SafetyNet???? If I were the Google CEO, I would mandate the complete abandonment of the SafetyNet API, and would prohibit app developers from checking for root. Did I mention that my device is not even rooted??? 100% stock....

JRomeo

I just bought the Google Pixel XL............... same problem, i cannot add a debit card to Android Pay............. google asked me to submit a bug report, but WTH? i want it fixed now !

JRomeo

what if your bootloader is NOT unlocked, and your phone is NOT rooted, and you just bought your Pixel XL Shipped directly from the Google Store, and you cannot add your debit card to Android Pay............. Then what????????????? I called google and they told me to submit a bug report (which I did), but my android pay app still does not let me add a debit card......... ?!?!?!!?!?!??!!??!!?!? Does anyone have any suggestions for me on how to fix this ?

Deftdrummer

Newsflash idiots; this article is regarding the API failing on an UNROOTED device with an UNLOCKED bootloader. In other words this bug should NOT be happening.

So quit going on and on about feeling disenfranchised due to having root. It has nothing to do with that.